Yahoo Axis Private Certificate Key Leaked at Launch

Though the security issue has been resolved, Yahoo slightly botched the launch of Axis, its new mobile browser and desktop extension, by leaking its private certificate file in the source code of the Chrome extension. The private certificate was used to sign the extension, and could have been used to create a false extension that would be authenticated as officially from Yahoo.

Nik Cubrilovic, an entrepreneur, hacker, and blogger at New Web Order, revealed Yahoo’s mistake in a blog post. There, he warned users of the danger the leak posed and demonstrated how the vulnerability could be exploited by creating his own, harmless, forged extension. From the blog post:

The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.

Cubrilovic, after realizing what dangers the leak posed, quickly reported the mistake to Yahoo. According to The Next Web, Yahoo responded by pulling down the Chrome extension and blacklisting the leaked certificate key. The Next Web quoted a Yahoo spokesperson as saying:

Since discovering this issue we have immediately pulled down the chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved. We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologize for any inconvenience.

A new Chrome extension is already available for Axis. The mishap only slightly tarnishes what was otherwise a smooth launch for Yahoo’s new mobile browser. There have been no reports of any malicious software spread using the vulnerability, so score one for Cubrilovic and the rest of the white hat hackers of the world.